Sunday, February 28, 2010

Scott Hanselman blogged about an excellent idea that he had seen where a PHP developer had created a 404 page that displayed a list of missing children.

In my opinion this is a great idea – as people always end up seeing a 404 page and by displaying a list of missing kids – who knows, we might just be able to find a missing kid. Scott created a 404 page using only Javascript (the original used server side PHP). Scott’s implementation uses the ASP.Net AJAX Library and specifically uses the DataView control.

I wanted to make a few modifications to Scott’s implementation of the 404 page:

Make the page so that it is a lot more easier for someone to download the code and reuse it.

Use only JQuery

Geolocate the user using their IP address.

The reason I wanted to use only JQuery was that I didnt think it was necessary to download an extra javascript library just to display the data, when JQuery could do it all. (In addition, I used direct references to jQuery – instead of the $, as it makes it easier to include on a DotNetNuke site).

The biggest improvement in my opinion is the use of the client’s IP address to geo-locate them. By geo-locating the end user, I can customize the list of children to the state from where the user is. This in my opinion increases the probability of finding missing children as the list is smaller and more relevant to the user.

For geo-locating the user, I use two techniques. Because JQuery is loaded using Google’s content delivery network I can use Google’s API to try and determine the location of the user. If this fails (and it does many times), I use IPInfoDB’s webservice to try and geo-locate the user.

As I use the Google API, you will need to generate a Google API key to use the code on a webserver (if you are testing – you dont need to do anything). To get the key go to : http://code.google.com/apis/ajaxsearch/signup.html. Once you generate the key, plug it into the file at line: 33 (or search for “YourGoogleApiKeyHere” to find the location).

Friday, February 26, 2010

Here is some quick code I wrote up that allows you to perform Asymmetric encryption using the RSA algorithm. The keys used are from a digital certificate stored in the local user’s cert store (the code to create a certificate for testing is also included in the sample.

Tuesday, February 23, 2010

There is a major security loop hole in DotNetNuke versions 4.9.2 and below where DNN will allow an unauthorized user to upload almost any file onto the server. This loop hole combined with the IIS 5/6 zero day multiple extension exploit can allow a hacker complete access to your website.So if you are a DNN version that is not 4.9.4 and up – read on as this is huge hole in your website.The DNN Issue:
If you browse to the following sub-folder on your DNN site “Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx”, you will see a page that looks like this:
The above page on its own is not too bad. But if you now paste the following javascript code into the address bar and hit enter: “javascript:__doPostBack('ctlURL$cmdUpload','')” you will see the following browse dialog which will allow you to upload almost any file onto the website (restricted to the list of files allowed by FCKEditor – typically images, documents, etc).
The above hack will typically lead to hackers dropping small txt files that have some kind of a notice saying that your website has been hacked!
It is hard to do anything substantial with this hack alone.
But wait there is more…..The IIS Issue:
On December 25th of 2009, an “Ethical” hacker found a vulnerability in IIS 5 and IIS 6 called the “semi-colon” bug or the “multiple extensions IIS/ASP bug”. Read More.
The semi-colon bug allows any file that has .asp in the file name to execute as an ASP file. This bug occurs in all versions of IIS 6 and prior. This means that a file named “innocusFile.asp;.jpg” will be executed like an ASP file.The big scary picture:
The 2 bugs on their own were bad, but it still would be hard for anything bad to happen. But together – they open up a can of worms that is going to make everyone in your organization pulling every fire alarm in the building. Here is the big picture:
1. Hacker fabricates an ASP file that uses COM objects such as the FileSystemObject to get complete access to your computer.
2. Hacker names the asp file as “myHack.asp;.jpg”.
3. Hacker navigates to the “Providers/HtmlEditorProviders/Fck/fcklinkgallery.aspx” file in his browser and uses the DNN loop hole to upload his myHack.asp;.jpg file. DNN complies because it thinks it is a simple jpg file. This is because DNN looks only at the last extension it finds in a file name.
4. The file uploads to the DNN website to the folder (WITHHELD – to protect unprotected DNN sites).
5. The hacker browses to the file that he uploaded. The file is delivered to the ASP processing engine by IIS and a page that opens up the entire computer to the hacker is displayed. This is because IIS has been coded such that it recognizes a file type based on its extension even if the extension is not the last part of the file name!!
6. The hacker uses his ASP page to get full control of your website (and I mean full control – all disk drives, connection strings, databases, registy, etc.). Nothing is safe after this.
Here is a sample ASP file called the “Smart Shell”, that basically shows the capabilities that an hacker can get over your website: (This kind of an ASP file is also called the 3fexe ASP hack).How to mitigate:
Because there is no known fix, there are only ways to mitigate this attack (and hence it is a zero-day hack).1. Rename the fcklinkgallery.aspx fileAs fcklinkgallery.aspx is the entry point for this hack attack, the first thing to do is to rename this file. I suggest using a random file name – like a guid. After you rename the file, you will need to update the “LinksGalleryPath” setting in your config file. This will be found in the <dotnetnuke><htmlEditor><providers><add name="FckHtmlEditorProvider"> section. Just look for “LinksGalleryPath” and update the value to the newly named file name.
If the hacker cannot browse to the fcklinkgallery.aspx file, he will not be able to upload a ASP file onto your DNN site.(Update: 03-30-2010) please note: Gabe has included an extra step that needs to be taken to get the link editor to work after renaming it. Please see the comments below. Basically you need to also rename the "\Providers\HtmlEditorProviders\Fck\App_LocalResources\fcklinkgallery.aspx.resx" to match the renamed fckLinkGallery file.)

2. Remove Execute permission on the Portals folder of your DNN site.The sub-folder “Portals” in your DNN site typically does not need to be able to run ASP files or any other files. So remove “Execute” permissions on that folder.
Open up IIS.
Expand the website node for your DNN site.
Select the Portals node in the explorer view on the left.
Right click on the Portals node and open the Properties dialog.
Chose the Directory Node.
Set Execute Permissions to “None”.

3. Remove access to FileSystemObject.This falls into the excessively precautious as it is not really required for you to do. An important note: Do not do this if you know that you have some ASP apps on your site and if those ASP apps use FileSystemObject – you might end up hosing those apps.
There are 2 ways to do this: Remove access to this COM object from the security principal used to run your IIS website (typically ASPNET) or to completely unregister the dll.

1. Registry access:
Open registry editor.
Browse to “HKEY_CLASSES_ROOT\Scripting.FileSystemObject”, right click and under permissions deny access to the ASPNET user.
2. Completely disable FileSystemObject
Run regsvr32 scrrun.dll .u in the C:\windows\System32 folder.

An external user is a person who is not an employee or similar personnel of the company or its affiliates, and is not someone to whom you provide hosted services. An EC license assigned to a server permits access by any number of external users, as long as that access is for the benefit of the licensee and not the external user.

Anyways, the only time you wont need an external connector license for your SQL Server database is when your installation is licensed by the processor.

Per Processor Licensing

Under the Per Processor model, you acquire a Processor License for each processor in the server on which the software is running. A Processor License includes access for an unlimited number of users to connect from either inside the local area network (LAN) or wide area network (WAN), or outside the firewall (via the Internet). You do not need to purchase additional server licenses, CALs, or Internet Connector Licenses.

Monday, February 22, 2010

If you are getting the “Response.Redirect cannot be called in a Page callback” then you are most probably using AJAX and you are using a Response.Redirect (or Server.Transfer) in an event that was fired from within an AJAX panel.

The reason this does not work is that there is only a partial post-back that occurs with controls that are within an AJAX panel and you cannot perform a Redirect from within a partial post-back.

Fixes:

1. Dont do a redirect in an event that is fired due to a partial post-back!

2. In the event, instead of doing a redirect, register a javascript method that will perform the redirect from the client’s browser. eg:

You run the app and leave it in its maximized state and then go about doing your daily work. And when you are happy with the art created just hit the S button and it will create a file in the same folder where the app is running.

Friday, February 19, 2010

Here is a post on how the BBC is redesigning their new website. I found it an interesting study in design and how through their project was (setting guidelines on underlying grids, color palettes, embedding of audio/video, etc).

Also as some one who is completely bereft of the ability to choose good colors that go well with each other, there are palettes on the page that I could use on my web-pages (as well as other design pointers).

Wednesday, February 17, 2010

I have written many times on this blog that the one skill that I lack is that of an artist. Colors, layout, etc are hard for me to just create. But when I see good design, I know it. It just appeals to me. If I have to work with a good designer, then I can come up with some cool UIs – but a good designer is a luxury that isnt always available on all the projects that we work on. This is especially true for personal projects.

Today I came across a tool called Artisteer. It looks very promising as a template creation engine, that makes it extremely easy to create design templates for CMSs like DotNetNuke, Blogger, etc.

I plan on writing more about my experience with Artisteer.

Today I tested it out with Blogger and I realized that I needed to backout the change. While exporting a template, Artisteer displayed a message about saving a backup of the existing template. But when the time came to revert back to the old design, I could not find it on my machine. Here is where you can find it:

Disclosure: I requested a demo license from Artisteer creators to test out the capabilities of the tool when it comes to Blogger blogs and DotNetNuke. The above instruction, as well as any others that I create related to Artisteer, will be based on my testing with a Artisteer version activated by a free license key provided by the developers of the app.

Heard about Comcast’s XFinity upgrade today (it isnt yet available in my neck of the woods in Denver), but the features look interesting:

From Xfinity.com:

50Mbps downloads today, increasing to 100+ Mbps and even faster in the future

100+ HD channels, 5,000+ HD choices, and the best HD picture quality available

50 to 70 multi-cultural channels

Approaching 20,000+ Video On Demand titles

Fancast XFINITY TV, with 19,000+ movies, top shows, and other content available online, at home or on the go

New cross-platform and mobile features like: remote DVR, Universal Caller ID, an interactive home telephone, apps for iPhones and the ability to use a remote control to order products and services while watching TV

Comcast’s service has overall been good. My only problem with them has been the price that they think their customers are willing to pay. I am seriously considering cutting out cable the next time I have to renew my services at a higher fee.

Thursday, February 11, 2010

I have typically used a “StreamReader” to read through text files when I had to parse out comma separated variables. This normally meant that I had to do a lot of the lifting of reading values, parsing them and handling exceptions. And most often the case was that I was reading the data into a DataSet which could then be easily displayed in a UI

Today I was shown a much easier way to do the above using the Excel engine by Joe Harker. It uses an ODBC driver to read a CSV file just like you would read in data from any database. The trick is to use the correct connection string. Here is a sample connection string:”Provider=\"Microsoft.Jet.OLEDB.4.0\";Data Source=\"{0}\";Extended Properties=\"Excel 8.0; HDR=Yes; IMEX=0\"";

[Important Update: 02-12-2010]

There is a limitation with the JET engine – it can be used to read in only 65,535 rows of data and 255 columns of data. (not sure if this limit is different on 64 bit machines).

As a software developer I have always found myself deficient in the area of colors. I can make a simple interface with just black and white colors or I can apply predetermined colors part of a template/scheme to a page to make it pretty. But what I cannot do is to select colors on my own to make a page look aesthetic and pleasing. So I am always on the look out for tutorials/documents that help me in this area:

Are you getting the “Unable to update the EntitySet ‘xxxx’ because it has a DefiningQuery and no <InsertFunction>”

Check to make sure your table has a primary key – I think the reason that you get this error is that because your table does not have a primary key, EF looks at your table like a view that is not directly updatable and needs special logic (either through .Net code or a stored procedure) to update the table.

Set the primary key, delete the EF model and then re-add it (just refreshing the model didnt do it for me). And you should be back in business.

Sunday, February 07, 2010

A very cool iPhone app that uses voice recognition to hail taxis, suggest restaurants and even tell you where to go for a haircut. Siri

I really like the intelligence built into the search: Like when I said “I need a hair cut”, it automatically figured out I wanted a hair cutting salon and when I said “Chinese take out”, it automatically looked up Yelp for Chinese restaurants that deliver!

Good information on what goes into planning for an Agile iteration from someone who talks the talks and walks the walk.

How Agile Works

Each number represents an iteration, which is a week of work. I1, I2, and I3 are the development iterations. The majority of a Program Manager’s time is spent in the pre-I1 iterations, named –3, –2, and –1.

The Epic Story – This is what goes on a sticky note on the whiteboard. For example, “Ratings and Reviews for Project releases” is an epic story with the following stories associated with it.

Rate Release

Display ratings and reviews on release page

Display ratings and reviews on project homepage

Move release metadata to new location // also a UX improvement Epic story

Releases sorted by date with release ratings // also a UX improvement Epic story

I have a couple of aspx pages (that I inherited from a project) that are never really used to render HTML content to an end user and instead are used to receive a HTTP post message and process the contents. Granted that I could use a web-service to process the messages being sent – but that would involve changing the clients that send the post messages and those are out of my control.

Today I came across the IHttpHandler and this will work perfectly for me: 1. Clients can continue sending their post messages 2. I can re-architect the pages to be HttpHandlers and save on a lot of extra handling that the normal aspx page would have to do.

There doesnt seem to be a straightforward way to do this using the GUI in SQL Server Management Studio.

I like managing users using roles and the following method is an easy way to provide a user the permission to execute all stored procedures in that database.

You create a role called db_executor and grant the role Execute priviledges. You then assign the user that needs the ability to execute stored procs to the db_executor role.

CREATE ROLE db_executorGRANT EXECUTE TO db_executor

I am not a DBA – so I am not sure if this is not a good practice (because you end up giving execute permissions on all stored procs to all users assigned to that role). Leave a comment if you know otherwise.

If you try and attach a mdf file that does not have an associated ldf file in SQL Server Management Studio, SSMS will throw an error. The simplest way around it is – click on the ldf file location in the dialog and click Remove. SSMS will then attach the MDF file and create the associated LDF file for you.

Tuesday, February 02, 2010

Most articles that I found about MSDASQL for 64 bit Windows said that MSDASQL support was not going to be available.

This was a big let down for my team, as we had this brand spanking new 64 bit web-server and we had some old ASP apps that needed to be hosted on it. The reason this was a let down was that these old ASP apps were using a MSDASQL data provider with a MSDataShape provider and the app just would not run.

After some more debugging we found that a desktop app that used the same connection string would work if it was built as a 32 bit app but not as a 64 bit app. This meant that the server had 32 bit versions of the ODBC drivers needed for MSDASQL/MSDataShape, but not the 64 bit versions. (The 64 bit app would fail with the “Class not registered” error – the same error I was getting when the ASP app was running).

The reason this was a let down was that, without 64 bit OleDb ODBC drivers, we would have to run IIS in 32 bit isolation mode (we have IIS6 which supports an either or as far as running in 32 bit or 64 bit mode is concerned – I think this is not the case with IIS7). As we were not going to be able to move to IIS 7, it looked as though we were going to have to run IIS in 32 bit isolation mode – which means that I cannot load any 64 bit dlls – what good would the 64 bit environment be then?

Fortunately I found the following Microsoft Download page, where version 2.82.4250.0 of the OLEDB Provider for ODBC can be downloaded, which provides support for 64 bit Windows 2003.

If your WCF service has a BasicHttpBinding endpoint – then you can use SoapUI for testing.

If you need to test a WSHttpBinding endpoint – then I found that SoapUI had a problem creating the correct requests. Instead you can use the WCF Test Client that comes with VS 2008 and can be found at: "C:\Program Files\Microsoft Visual Studio 9.0\Common7\IDE\WcfTestClient.exe"